用 kinit 登录 kerberos,然后使用 CURL 访问 REST API,需要在 CURL 命令行上增加 --negotiate -u :参数。例如:
- $ klist -e -k /etc/security/keytabs/hdfs.headless.keytab
- Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 1 hdfs-hdp1@AMBARI.APACHE.ORG (aes256-cts-hmac-sha1-96)
- 1 hdfs-hdp1@AMBARI.APACHE.ORG (des-cbc-md5)
- 1 hdfs-hdp1@AMBARI.APACHE.ORG (aes128-cts-hmac-sha1-96)
- 1 hdfs-hdp1@AMBARI.APACHE.ORG (des3-cbc-sha1)
- 1 hdfs-hdp1@AMBARI.APACHE.ORG (arcfour-hmac)
- $ kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hdp1@AMBARI.APACHE.ORG
- $ curl -k -i --negotiate -u : http://u1401.ambari.apache.org:50070/webhdfs/v1/tmp?op=LISTSTATUS
freeipa 带有 kerberos KDC 代理功能。执行 ipa-server-install 的时候有提示:
- Configuring the web interface (httpd). Estimated time: 1 minute
- [16/21]: create KDC proxy user
- [17/21]: create KDC proxy config
- [18/21]: enable KDC proxy
-
通过KdcProxy可以让kinit客户端以https协议通过代理连接到KDC。
首先需要把freeipa的证书复制到客户端所在的机器上:
- $ cd /etc/ipa
- $ openssl X509 -in ca.crt -out ca.pem
- $ scp ca.pem root@c7002:/etc/ssl/. (复制到c7002节点)
-
配置c7002节点的kerberos客户端配置文件(/etc/krb5.conf):
- [libdefaults]
- default_realm = AMBARI.APACHE.ORG
-
- [realms]
- AMBARI.APACHE.ORG = {
- http_anchors = FILE:/etc/ssl/ca.pem
- kdc = https://c7004.ambari.apache.org/KdcProxy
- kpasswd_server = https://c7004.mbari.apache.org/KdcProxy
-
在 c7002 节点上测试KDC代理。环境变量KRBT_TRACE可以让kerberos调试信息输出到文件(/dev/stdout表示输出到屏幕):
- $ env KRB5_TRACE=/dev/stdout kinit admin
- [29875] 1497331322.495260: Getting initial credentials for admin@AMBARI.APACHE.ORG
- [29875] 1497331322.495434: Sending request (196 bytes) to AMBARI.APACHE.ORG
- [29875] 1497331322.495463: Resolving hostname c7004.ambari.apache.org
- [29875] 1497331322.619668: TLS certificate name matched "c7004.ambari.apache.org"
- [29875] 1497331322.623893: Sending HTTPS request to https 192.168.70.104:443
- [29875] 1497331322.629792: Received answer (272 bytes) from https 192.168.70.104:443
- [29875] 1497331322.629809: Terminating TCP connection to https 192.168.70.104:443
- [29875] 1497331322.630005: Response was not from master KDC
- [29875] 1497331322.630206: Received error from KDC: -1765328359/Additional pre-authentication required
- [29875] 1497331322.630269: Processing preauth types: 136, 19, 2, 133
- [29875] 1497331322.630288: Selected etype info: etype aes256-cts, salt "Ar>LhD/*\>smo3/3", params ""
- [29875] 1497331322.630296: Received cookie: MIT
- Password for admin@AMBARI.APACHE.ORG:
- (略)
-
从上面的调试信息可以看出 kinit 连接是通过 https 的 443 端口连接到 KDC 的。
湘公网安备 43102202000103号